New attack vectors introduced at CES

The annual Consumer Electronics Show (CES) is underway this week, and companies are unveiling their upcoming advances in technology.

So far, I’ve read about two things that can be attached to networks, bringing security concerns with them.

First, echoing an earlier post of mine, Samsung has announced a washer and dryer with wi-fi.

The reasoning behind this is that consumers can remotely start and monitor their laundry through smartphone apps, plus get alerts when it’s done.  This actually sounds pretty cool.

Of course the concern is that you are adding a strange new appliance to your home network.  I haven’t seen the full details of how the washer and dryer communicate, but its possible that they could become pivot points for someone to get into your network.

Here’s a plausible scenario:  Someone buys this washer and dryer set and puts it in their home.  They modify the firmware to include a secret backdoor, and sell their house with the washer and dryer included.

This previous owner now has internal access to the new owner’s network.  They can use that connection for illegal or unscrupulous activities, attracting any law enforcement response to the unsuspecting new owner.  They will claim innocence and insist they were hacked, but if there’s no rootkit or botnet found on their machines, will anyone think to look at the washer and dryer?

The other new product to include a network connection at this year’s CES is the Nikon D4.

This new flagship camera boasts many impressive advances (as it should for the $6,000 price tag).

One feature is the ability to connect directly to a network, and then be controlled via web browser.

The really interesting thing here is that the camera is running a lightweight http server.  Like the washer and dryer, this can potentialy be modified for nefarious purposes.  Unlike the washer and dryer, this is a portable device that could be plugged into any ethernet network (or hooked up to wi-fi).  So, someone hacks the firmware so that the http server does something evil (backdoor, spreads a worm, etc.).  Then just plugs the camera into a network they want to attack.

Of course, a properly secured network would not allow a rogue device to communicate with anything, but properly secured networks are few and far between.



2 responses

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s